diff options
| author | Vadim Sukhomlinov <sukhomlinov@google.com> | 2023-04-13 19:00:39 -0700 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-04-14 15:35:10 +0000 |
| commit | 2f9b98535ef6760e0fcbde879b25cbab42c96105 (patch) | |
| tree | 40083e03a802db158972046ac90be20375dd56f8 | |
| parent | b3b3c92ea4f7bbadd6968761d5047163559f7cf6 (diff) | |
| download | chrome-ec-2f9b98535ef6760e0fcbde879b25cbab42c96105.tar.gz | |
cr50: set compiler options to ensure reproducible FIPS module
As per b/277777628 FIPS module build depends on value of `CC` env var,
which is not a desirable behavior.
1. Add -fconserve-stack to FIPS module builds explicitly to make sure
its digest is same as reported and doesn't depend on environment.
2. gcc specific option moved to core/cortex-m/build.mk
3. Verified that binutils workaround is still needed (b/238039591)
BUG=b:277777628, b:238039591
TEST=make BOARD=cr50; tpm_test.py, FIPS digest is the same
Change-Id: I664cee178de400efed3fe2e06b9b4b72f6ce6067
Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4425068
Commit-Queue: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Code-Coverage: Vadim Sukhomlinov <sukhomlinov@chromium.org>
| -rw-r--r-- | Makefile.toolchain | 7 | ||||
| -rw-r--r-- | board/cr50/build.mk | 2 | ||||
| -rw-r--r-- | core/cortex-m/build.mk | 4 |
3 files changed, 5 insertions, 8 deletions
diff --git a/Makefile.toolchain b/Makefile.toolchain index c0ffc5a715..27d40a80ee 100644 --- a/Makefile.toolchain +++ b/Makefile.toolchain @@ -102,13 +102,6 @@ CFLAGS=$(CPPFLAGS) $(CFLAGS_CPU) $(CFLAGS_DEBUG) $(COMMON_WARN) $(CFLAGS_y) CFLAGS+= -ffunction-sections -fshort-wchar CFLAGS+= -fno-delete-null-pointer-checks CFLAGS+= -fno-PIC -ifneq ($(cc-name),clang) -CFLAGS+= -ffat-lto-objects -CFLAGS+= -fconserve-stack -# Disable assembler warnings -# TODO (b/238039591) Remove this when binutils updates to 2.37+ -CFLAGS+= -Wa,-W -endif CFLAGS+=$(CFLAGS_CHIP) $(CFLAGS_BOARD) CXXFLAGS+=-DPROTOBUF_INLINE_NOT_IN_HEADERS=0 diff --git a/board/cr50/build.mk b/board/cr50/build.mk index a62a43bd1e..45301733f9 100644 --- a/board/cr50/build.mk +++ b/board/cr50/build.mk @@ -201,7 +201,7 @@ FIPS_MODULE=dcrypto/fips_module.o FIPS_LD_SCRIPT=$(BDIR)/dcrypto/fips_module.ld RW_FIPS_OBJS=$(patsubst %.o, $(RW_BD_OUT)/%.o, $(fips-y)) $(RW_FIPS_OBJS): CFLAGS += -frandom-seed=0 -fno-fat-lto-objects -Wswitch\ - -Wsign-compare -Wuninitialized + -Wsign-compare -Wuninitialized -fconserve-stack $(RW_FIPS_OBJS): | $(out)/ec_version.h $(out)/env_config.h rw_board_deps := $(addsuffix .d, $(RW_FIPS_OBJS)) diff --git a/core/cortex-m/build.mk b/core/cortex-m/build.mk index b18d01e114..cf2d851c77 100644 --- a/core/cortex-m/build.mk +++ b/core/cortex-m/build.mk @@ -34,6 +34,10 @@ CFLAGS_CPU += -fno-ipa-modref # Set an option to force LTO to generate target machine code export CFLAGS_LTO_PARTIAL_LINK := -flinker-output=nolto-rel +# -ffat-lto-objects is a workaround for b/134623681 +# Disable assembler warnings +# TODO (b/238039591) Remove `-Wa,W` when binutils is fixed. +CFLAGS_CPU += -Wa,-W -ffat-lto-objects -fconserve-stack endif core-y=cpu.o init.o ldivmod.o llsr.o uldivmod.o vecttable.o |